Hackers Attacking Blockchain Engineers with Novel macOS Malware

The frequency of hackers exploiting macOS flaws varies over time, but Apple continuously releases security updates to patch vulnerabilities. 

While macOS is generally considered more secure than some other operating systems but, it is not immune to exploitation, and hackers may target it, especially if they discover new vulnerabilities.

Recently, cybersecurity researchers at Elastic Security Labs identified that hackers are actively attacking blockchain engineers of a crypto exchange platform with a new macOS malware.

Novel macOS Malware

For initial access and post-exploitation, the breach used custom and open-source tools. It was detected during the analysis of a macOS endpoint involving a Python app disguised as a crypto bot in a Discord direct message.

Document
FREE Webinar

Webinar on Cyber Resilience for Financial Sector

Ensure your Cyber Resiliance with the recent wave of cyber-attacks targeting the financial services sector. Almost 60% respondents not confident to recover fully from a cyber attack.

This activity is linked to DPRK and shares similarities with the Lazarus Group, and security analysts labeled it REF7001 by considering the following elements:-

  • Techniques
  • Infrastructure
  • Certificates
  • Detection rules

Malicious actors posed as blockchain community members on a public Discord, duping an individual into downloading a deceptive ZIP file. The victim mistook it for a crypto arbitrage bot, leading to an initial compromise.

This marked the start of REF7001’s malware sequence, ultimately leading to ‘KANDYKORN”:-

  • Stage 0 (Initial Compromise) – Watcher.py
  • Stage 1 (Dropper) – testSpeed.py and FinderTools
  • Stage 2 (Payload) – .sld and .log – SUGARLOADER
  • Stage 3 (Loader)- Discord (fake) – HLOADER
  • Stage 4 (Payload) – KANDYKORN

Both stage 3 and stage 4 executables share the same encrypted RC4 protocol for C2 communication, using a consistent key. These samples wrap send-and-receive system calls, encrypting data before sending and decrypting before processing.

During initialization, a handshake occurs between the malware and the C2, and if the handshake fails, the attack halts.

The client sends a random number to the C2, which responds with a nonce, and then a challenge is computed by the client and sent to the server.

After the connection, the client shares its ID and awaits server commands. All data exchanged follows a consistent serialization pattern:-

  • Length
  • Payload
  • Return code to track errors

REF7001 involved the adversary obtaining payloads and loaders from the network infrastructure. They distributed the initial malware archive via a Google Drive link in a blockchain Discord server.

Besides this, two C2 servers were detected during the REF7001 analysis, and they are mentioned below:-

  • tp-globa[.]xyz//OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC
  • 23.254.226[.]90

DPRK’s LAZARUS GROUP targets crypto firms for stolen coins to evade sanctions. They trick blockchain engineers on a chat server, promising money but infecting victims who interact.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and their…

1 hour ago

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…

14 hours ago

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…

18 hours ago

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…

18 hours ago

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…

18 hours ago

Metasploit Framework Released with New Features

The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…

21 hours ago